tag:www.schneier.com,2016:/blog//2/tag:www.schneier.com,2007:/blog//2.1355-2016-09-03T05:32:28ZComments for Excessive Secrecy and Security Helps TerroristsA blog covering security and security technology.Movable Typetag:www.schneier.com,2007:/blog//2.1355-comment:227680Comment from Anonymous on 2007-12-24Anonymoushttp://www.usome.com
Funny, I read this highly fractured and disjointed article and extracted a different conclusion.]]>
2007-12-24T06:50:10Z2007-12-24T06:50:10Ztag:www.schneier.com,2007:/blog//2.1355-comment:144589Comment from Stephan Samuel on 2007-02-07Stephan Samuelhttp://www.ihaveawebsite.com
@Alan,

I think you've hit a very important point dead-on: lack of respect breeds contempt.

It doesn't matter whether the lack of respect comes from experience or ignorance, but eventually people you wrong will wrong you. It's amazing how many self-proclaimed Christians, lawmakers, fall to the seven very sins that they're taught to avoid.

What happened to the days of "statesmen," who had enough intellectual breadth to respect at least a few people?

]]>
2007-02-07T18:14:21Z2007-02-07T18:14:21Ztag:www.schneier.com,2007:/blog//2.1355-comment:144567Comment from Randle on 2007-02-07Randle
Half Cover Will Travel
By
Randle Flagg

This opinion article is submitted to be distributed freely and to generate opinions.

When is the government or better yet intelligence agencies going to get serious about cover for its employees? Now I know people might say, before 911 they had not a clue, well I am here to say in my opinion, after 911 they still are not doing enough. That is until someone proves me wrong. The CIA and others have recently told potential applicants not to tell anyone if possible of their intentions of applying as it might make it hard for them to do cover work.

The role of cover as defined is :To protect by contrivance or expedient, to hide from sight or knowledge. Let us take a for instance.

When a Person ( Bob) applies for a job at the National Security Agency or Central Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation or any of the others, that is considered of national security, it is usually done through several ways. First through the agency website. Now if I do not want anyone to know that I am going to apply there, how do I know that my connection is safe. For argument sake, I apply through my home computer, which uses a Internet connection supplied by the wonderfully fast XYZ Inc. Which is a USA owned company. Now I have been surfing, find the agency website and apply. Everything up to the point when I apply is open for my provider, XYZ to see. Unless I use a secure connection or anonymizer, but do we really think the government would let exist such communications without being able to monitor, ya right. For argument sake lets say XYZ is a growing company with billions of dollars, and in need of many people to handle administration to networks , router, switches and customer accounts. I am joe hiring manager and I need 100 service reps to handle customer accounts and phone issues. I need another 100 to handle the telecoms infrastructure and I need another 100 for software programming. XYZ is a consciousness company and is concerned about getting the right people hired and for argument sake they only advertise to hire US citizens. As joe hiring manager I am super busy and rely on my crack Human Resource team to vet all employees. Human Resources, has the best software and does online background checks on theses employees and all 300 pass muster. WOW, Human Resources must be really good and they did a background check, meaning they looked back 5 maybe 10 years on a credit report. Red Flag! Also, they did not call references or run names through FBI as they were too busy thinking of their next move to get Human Resources elevated to a boardroom seat and the FBI does not have the people to handle running names for every corporate company, even though it is only 300 people that XYZ has in their entire company. So now as joe hiring manager I have 300 people composed of Asian, Indian, American, Muslim, and other assorted people who are god loving USA loving patriots and I have nothing to worry about, WRONG.

Whats wrong with this picture? The fact is that XYZ has 80,000 employees not 300, is that no where in this chain can a company total guard against the potential wrong insider or foreign intelligence service. Worse yet, lets figure that of the 80,000 only 10 are bad folks and of that 10 only 5 are supplanted by a foreign country to gather Intel. Yes I said supplanted! Do you think for one second that foreign Intel services have not instructed their students going to college here for 10 years or more to assimilate, become one and then suck us dry. The fact is the FBI has said publicly that just china alone has over 3000 front businesses, never mind the tens of thousands of students. Foreign intelligence tells their people to go to the USA and set up a life, get a house, marry, join the local clubs, establish a credit history and perhaps a SS#. Oh did I mentioned that my crack Human Resources department ran social security numbers and none came back as bad. Why, because the system is broke and the social security administration cannot verify a foreign intelligence agent as they have been here for 10 years and got a number the legal way!

Do you think for one second that foreign intelligence services would rather milk our USA companies for intelligence rather then try to plant spies inside the intelligence agencies themselves as it is way to hard and the failure rate would be cost prohibitive, but I am sure they point a few of them that way for yucks. Now back to our bright, well educated person,Bob who has looked up every grain of sand on his next employer, with his XYZ connection -in this case the intelligence agencies and then applied. That might be a nice piece of info combined with their IP address, account on XYZ , where they live, what restaurants they like to research and eat at ( nice for a bump into meeting),who they email, what school they go to or current job, who they write love letters to - behind their spouses back, what porn they surf, what electronics they buy and might have in their house--( don't think for one minute that foreign Intel services are not capable of engineering a micro camera and or recording devices into your house, TV , stereo, alarm system or whatever if they know you are going to work for any Intel outfit or area of interest. Just because USA Intel does it does not mean they are the only game in town. The point is, Bob's cover is blown before he even starts. What about Bob's neighbors, are they hacking him by WiFi??

Let us go one step further; Bob uses a secure connection to surf and apply, he gets a interview and a letter is sent from the agency which he applied to his address at home or at the 600 unit apartment building he rents at and bang, the postal guy accidentally puts Bobs interview letter/ form that the agency sent into his neighbors box. His neighbor, might be someone he knows, does not know, is a blabber mouth, or just happens to be someone who is a collector of information and sees who it is from and it now ends up on the Internet or makes note of it or does not even give the letter to Bob and reads it himself (Numan) so much for Bob's cover. Lets say Bob has made it through the tests for the job and now has to have a background investigation. This now means that Bob, has to has atleasts 8 people he knows, know he is doing something a little out of the ordinary and the background investigator is going to knock on his neighbors doors who might be foreign Intel or blabber mouths or gossip kings and queens at their local country club. red flag. Even if the investigator tells all these people he works for the local consulting company and is just checking references, he still has to ask the questions on the SF86 and others that totally blow any covertness.

Moving on,now lets say Bob has not had a breach of security though the interview and is hired. He has to have direct deposit to his Bank, Bank of The United States and they only have 1000 employees ya right make that 200,000 and operate in several countries and/or share personal information for marketing purposes with companies that are of suspect origin. red flag! forget that last foe pa! Bob is under cover working for a Intel agency, what shows up in his bank statements??? I bet it has something to do with the government, red flag! What about his health insurance he has through the government, surely company XYZ has it under control. What does it look like when half his premium gets paid by a government entity? red flag! What about the life insurance, long term care, errors and emission insurance; which many Intel folks buy to CYA, but who is CYAing them and the company? So all these red flags, and lets say for argument sake he has not been found out. Wait a minute Bob gets sick and goes to the hospital and presents his health insurance card, the admission person see this and says, oh you work for the government, my friend I know has the same insurance and works for the intelligence agencies. red flag! Or one of Bob's family members has to use health ins or other covered service,if Bob had a family, were they given instructions on how to present themselves or will his wife or if it were Alice, her husband, blab about it the work? red flag.

How about this; one day Bob is mowing his lawn and sees his neighbor,our man Flynn,who starts talking to him and asks, hey Bob, what do you do for a living, ( Bob replies ) oh I work for the DOD, wrong answer. red flag. I work for a consulting company,XYZ, wrong answer, red flag,a lie that now must have to be proven true, you see our man Flynn is in the Intel business and knows already that several of the neighbors are consultants but really work for NSA,CIA etc.. You see Bob, was never given a ( Non Official Cover and story ) to aid him or never told not to tell anyone or trained in rehearsing the company line. In addition to Bobs latest foe par, Bob has been going to many meetings in the government sector, and private sector as a scientist and putting down his real name, agency email address and agency address on all the sign-in sheets, Bad Bob. He also was never given a cover name, because, well the agency did not think he needed it or it is to expensive to think up one with a cover story. Bob is FU&*ed throughout this entire process.

OK, I know you might be saying , your crazy , paranoid, ma sugar, bats in the belfry. Reverting back to the XYZ example, lets forget that it was a USA owned Internet company. How about a French owned telecoms or perhaps a china telecoms or how about Print, Herizon, Xtel ( Not there real names but sound like) get the picture. There are many companies both USA owned and foreign owned that have connections / business in the USA that Bob is F*c*ed before he even wakes up. Any company that thinks it can compartmentalize like a intelligence agency and still say they operate like a public business and can assure you that your privacy is safe, can now get up and leave the room single file. Lets take another example, I am a Intel officer of a foreign company outside the USA but surfing with Google. I plug the following inquiry in:XYZ.gov
Dam that returns Bob's email address and a leads right to a Intel agency along with all the other agencies Bob has been emailing, thus the names of people who might have thought they wanted to work under cover at one time but have been compromised and did not even know it. What if I only want excel spreadsheets,word docs, PDF's! That brings up meetings with all kinds of folks emails and affiliations

How about the other USA Intel domains. What about a search on the Intel agencies name plus Resume. I suspect folks who list there resume online and work history's at the government places mentioned are asking for foreign Intel to make a note so next time they travel on vacation to an overseas location, our man Flynn or one of his brothers will be on your left!

]]>
2007-02-07T16:37:00Z2007-02-07T16:37:00Ztag:www.schneier.com,2007:/blog//2.1355-comment:144020Comment from Ralph on 2007-02-05Ralph
This also holds true in network security.

I suggest that proportionality is the difference between response and panic.

To be proportional you must first correctly measure the level of the threat. This is very hard do without a rational thought process.

So much of our market is driven out of insecurities that this process is often sidelined.

People "honestly" ask, "Why do they hate us so much?" It's as if people have no understanding of the imperialism that dominated Africa and the Middle East through Asia, split the land so that logically related groups were divided among several different countries, gave up their holy land (holy to too many groups, unfortunately) and re-created Israel in it because the German Hitler was a nut, killed democratically elected leaders in order to install "approved tyrants," allow the lands to be despoiled in order to extract oil that is then sold to enrich local tyrannies instead of its people, and then those tyrants buy weapons from the western governments to ensure they keep their power. And never mind that many western folks are Christians with a less than friendly take on Muslims.

We see it on "small scales" like how the US bans cigarettes and sues tobacco makers, but then gives subsidies to tobacco farmers and western companies then peddle those wares in foreign countries.

You'd hate the west too if they had treated you this way. We certainly wouldn't want any "foreigners" doing that to us, yet that's exactly who we are when we dictate matters elsewhere.

Most tyrannies will fall of their own accord if people can see true liberty and justice served. Having an anti-pollution law in the US that then causes Americans to go to another country to pollute there isn't justice. We can't build all of the bombs and then be upset when others build them too (30 years later). Or build space weapons and then look astonished that others would threaten us by building their own.

We need to treat others how we'd like them to treat us.

Everything you learned in kindergarten about how to behave holds true.

This is not pacifism I'm talking about. Justice allows for force when wronged. But it does mean that your motives are clear and just, and that your actions follow the laws you set for yourself.

]]>
2007-02-03T22:41:22Z2007-02-03T22:41:22Ztag:www.schneier.com,2007:/blog//2.1355-comment:143425Comment from kaukomieli on 2007-02-03kaukomieli
WOULD YOU LIKE TO PLAY A GAME?
> GLOBAL WAR oN TERRORISM

STRANGE GAME. THE ONLY WINNING MOVE.
IS NOT TO HATE.
by 0xABADC0DA (867955) on slashdot.org

--------

While this sums it up pretty good it might only be true for the situation of relative safety we have to deal with in the western countries.
After taking a trip to israel I have to admit, that the mantra of "do not let your police do the terrorists work by taking away your freedom" has lost some of its appeal to me, since it is rather difficult to live up to it while being only one wall apart from a suicide bomb explosion.

I would also like to point out the part "excessive government secrecy and draconian counterterrorism measures". No one could disagree with at least the first part of this sentence, since _excessive_ does mean "too much", and the same almost goes for draconian. But as long as we (all, including the US administration for example) can not agree on where the line is between necessary and excessive/draconian this statement will take us nowhere.

:)
kaukomieli

]]>
2007-02-03T10:57:53Z2007-02-03T10:57:53Ztag:www.schneier.com,2007:/blog//2.1355-comment:143363Comment from mitch on 2007-02-02mitch
"Contemptious laws generate contempt for all laws.

Contemptious security generates contempt for all security."

Exactly, Alan. Exactly.

]]>
2007-02-03T01:30:53Z2007-02-03T01:30:53Ztag:www.schneier.com,2007:/blog//2.1355-comment:143336Comment from Alan on 2007-02-02Alan
Contemptious laws generate contempt for all laws.

Contemptious security generates contempt for all security.

]]>
2007-02-02T23:37:04Z2007-02-02T23:37:04Ztag:www.schneier.com,2007:/blog//2.1355-comment:143271Comment from soothsayer on 2007-02-02soothsayer
Dumbest Post of the Year:
But the year is young .. I have high hopes.

If I won't tell you how to make an a-bomb you will blow me up with tnt to find out .. so I should post my a-bomb recipe on the front door so that you can blow me up with a-bomb .. joy.

]]>
2007-02-02T20:21:57Z2007-02-02T20:21:57Ztag:www.schneier.com,2007:/blog//2.1355-comment:143256Comment from derf on 2007-02-02derf
I think MORE secrecy might be prudent in some cases. If the Boston incident had been handled a good bit more secretly, we wouldn't be laughing so hard.]]>
2007-02-02T20:07:51Z2007-02-02T20:07:51Ztag:www.schneier.com,2007:/blog//2.1355-comment:143237Comment from Jack C Lipton on 2007-02-02Jack C Lipton
"We had to enslave you in order to protect your freedoms"]]>
2007-02-02T18:55:36Z2007-02-02T18:55:36Ztag:www.schneier.com,2007:/blog//2.1355-comment:143236Comment from Jim on 2007-02-02Jim
Funny, I read this highly fractured and disjointed article and extracted a different conclusion.]]>
2007-02-02T18:48:26Z2007-02-02T18:48:26Ztag:www.schneier.com,2007:/blog//2.1355-comment:143229Comment from Bob Rolf on 2007-02-02Bob Rolf
The slashdot discussion Neal referred to

]]>
2007-02-02T18:10:51Z2007-02-02T18:10:51Ztag:www.schneier.com,2007:/blog//2.1355-comment:143228Comment from Geoff Lane on 2007-02-02Geoff Lane
Time for a competition: what is the least threatening object that has caused a bomb-scare?

So far that blob of jelly by the side of a German highway must be number one.

]]>
2007-02-02T18:08:12Z2007-02-02T18:08:12Ztag:www.schneier.com,2007:/blog//2.1355-comment:143226Comment from Joe Buck on 2007-02-02Joe Buck
Sorry, Clive, I don't believe your suggestion that the IRA tried to attack infrastructure rather than people because of pressure from Thatcher about what would be reported. They were terrorists, but their cause was political, and clearly blowing up infrastructure would be less harmful to their cause than blowing up people.
]]>
2007-02-02T18:05:04Z2007-02-02T18:05:04Ztag:www.schneier.com,2007:/blog//2.1355-comment:143225Comment from Neal on 2007-02-02Neal
Yes, I got a kick the other day when I read a story on slashdot or digg about satellite images used by google earth. Seems the company that took them blurred out the buildings which might be of interest to terrorists. So now all they'd have to do is view the city and target the blurred buildings. Way to go Gov'ment - show 'em exactly where to hit us so they don't have to do any research.]]>
2007-02-02T18:03:32Z2007-02-02T18:03:32Ztag:www.schneier.com,2007:/blog//2.1355-comment:143208Comment from jeff on 2007-02-02jeff
Well, I didn't really expect to have summary quote the article word for word. I think that summary relates a couple of the main points in the article. As support, the article clearly says that too much secrecy hampers government efforts.

"More broadly, there is a risk that, absent adequate public dialogue and a surfeit of secrecy, the justification for action by governments against terrorism will be undermined or misunderstood. This in turn can put in jeopardy the legitimacy of the government response."

]]>
2007-02-02T16:22:49Z2007-02-02T16:22:49Ztag:www.schneier.com,2007:/blog//2.1355-comment:143187Comment from Frank Ch. Eigler on 2007-02-02Frank Ch. Eigler
Strange, nowhere in the referenced article can I see any claim that "excessive security and secrecy helps terrorists". Projecting or reading between the lines?

The closest quote from the CSIS person seems to be this one: "Over-reaction to terrorism, it should be remembered, is a fundamental objective of most terrorists in history.", which may or may not be true, but does not indict secrecy or security per se.

Perhaps this quote seems more relevant: "More broadly, there is a risk that, absent adequate public dialogue and a surfeit of secrecy, the justification for action by governments against terrorism will be undermined or misunderstood. This in turn can put in jeopardy the legitimacy of the government response.". This is the only place in the article that quotes the word "secret", and suggests a possible *public relations* problem rather than terrorism assistance.

Maybe you mistook the ordinary reporter's sensational opening blurb as an accurate summary of the base material?

]]>
2007-02-02T15:25:23Z2007-02-02T15:25:23Ztag:www.schneier.com,2007:/blog//2.1355-comment:143184Comment from sean on 2007-02-02sean
Which is why the Boston cartoon panic and the news publicity is going to have long lasting effects. It was not the placement of lite-brite panels with a battery that caused all the problem, but an intense panic over something that had been sitting there for 1-2 weeks before a police force suddenly panicked, a news media that needed to boost ratings showing a whole city shut down over this panic and the public saving of face that is now going on as the placements of ATHF brite-lite boards are being spun by the local government there saying that the boards were made to look like hoax bombs instead of the simple placement of a board covered with LED's that had a battery pack on the back of it.

The way it was reported, anyone interested in disrupting a whole city now knows that Boston is like a stupid horse, ready to completely blow up and go into a bucking fit, just because there is a rope laying on the sidewalk.

The next step is to leave hard drives attached to a cable and a driver board laying around all over the city. After all, a sophisticated electronic device with wires is automatically a bomb. There are plenty of old AT computers laying around somewhere that could provide the materials to someone who wants to cause economic mayhem and it's a whole lot cheaper, less PR disasterous to them and makes us look like a bunch of panicking monkeys instead of intelligent humans.

]]>
2007-02-02T15:11:34Z2007-02-02T15:11:34Ztag:www.schneier.com,2007:/blog//2.1355-comment:143178Comment from Martin on 2007-02-02Martin
As I said in a response to the “Non-Terrorist Embarrassment in Boston��? posting:

Americans be free! Be brave!
By being free and being brave you will be more secure!

I’ll elaborate that in less emotive terms:

Be free!
Being free also means defending the freedoms of others. Act in a way that reflects your fundamental democratic values. This includes, of course, freedom of religion. By defending freedom of religion it lessens the perception that Islam is under attack.

"The most important factor for radicalization is the perception that Islam is under attack from the West. Jihadists also feel they must pre-emptively and violently defend Islam from these perceived enemies..."

"Democracies have taken a long period to develop and their values, laws and institutions continue to provide inspiration to those without the luxury of living in one. It is thus essential that in responding to threats such as terrorism we do so in a fashion that best reflects what democracies stand for."

Be brave! (that is don’t over-react because of fear)

"The response must be calibrated carefully so as to optimally protect Canadians and Canadian interests while containing an often natural disposition of giving in to fear and panic."

"Over-reaction to terrorism, it should be remembered, is a fundamental objective of most terrorists in history. We should not accommodate their goals in this regard."

]]>
2007-02-02T14:53:37Z2007-02-02T14:53:37Ztag:www.schneier.com,2007:/blog//2.1355-comment:143168Comment from Clive Robinson on 2007-02-02Clive Robinson
In the UK back when Maggie Thatcher was PM the PIRA where bombing the UK mainland

At the time various people where pushing for news black outs so as not to "aid the terorist" by giving them publicity.

There was a rumour at the time that the PM's response was to "report" it as factually as possible but give atacks which hurt people low priority shorter news slots, and give higher priority longer news slots to those where people where not hurt.

The result (apparently) was that for a time the PIRA limited their attacks to infrustructure tarkets such as signaling junction boxes on railway line sides.

If it is true then it shows that it is not just what you report but how you report it can control the behaviour of terorists.